[PATCH 2/3] dirmngr: add system CAs if no hkp-cacert is given

Kristian Fiskerstrand kristian.fiskerstrand at sumptuouscapital.com
Fri Oct 28 00:59:03 CEST 2016

On 10/28/2016 12:30 AM, Daniel Kahn Gillmor wrote:
> * dirmngr/dirmngr.c (http_session_new): if the user isn't talking to
>   the HKPS pool, and they have not specified any hkp-cacert, then we
>   should default to the system CAs, rather than nothing.
> * doc/dirmngr.texi: document choice of CAs.

I'm a bit ambiguous about this change. In Gentoo we currently have the
use of a system CA behind a user-selectable use flag for hkps but even
so the set of provided CAs is originating mostly from Mozilla.

As seen with the latest WoSign / StartCom issues, mozilla is not overly
concerned about third-party usage of the provided CA certificates, and
have more complex restrictions in place for NSS (e.g specific
notBeforeDate and OneCRL checking).

As such I question the security of the root stores and actually like
that it defaults to not using system CAs so users needs to make an
informed decision.

Kristian Fiskerstrand
Blog: https://blog.sumptuouscapital.com
Twitter: @krifisk
Public OpenPGP keyblock at hkp://pool.sks-keyservers.net
fpr:94CB AFDD 3034 5109 5618 35AA 0B7F 8B60 E3ED FAE3
Nil satis nisi optimum
Nothing but the best is good enough

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 455 bytes
Desc: OpenPGP digital signature
URL: </pipermail/attachments/20161028/71ad1d9c/attachment.sig>

More information about the Gnupg-devel mailing list